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Abstract 

The common security criterion d in quantum key distribution is 
taken to solve the universal composability problem in quantum key 
distribution as well as providing good general quantitative security 
guarantee. In this paper it is shown that these are a result of an 
invalid interpretation of d. The general security significance of d is 
analyzed in detail. The related issues of universality and attacker's 
side information are discussed. 

PACS #: 03.67Dd 

1 Introduction 

There have been considerable theoretical and experimental developments on 
the generation of a fresh (information-theoretically) secure key between two 
users via a protocol of the BB84 type [IJ [2] . The terminology of quantum key 
distribution (QKD) has been used more often than not and we will take it 
to be synonymous with quantum key generation, other terminology that has 
been employed include quantum key agreement and quantum key expansion. 
While there is another approach [3] to quantum key generation which does 
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not involve information-disturbance tradeoff or intrusion level estimation, in 
this paper the term QKD will refer to BB84, while "BB84" is used in a wide 
sense that includes Ekert-type entanglement protocols as well as protocols 
that utilize other states than number states. QKD is interesting because if 
offers the possibility of fresh key generation with information-theoretic rather 
than complexity-based security, and thus would survive future developments 
in computational power including quantum computers. 

A most important foundational problem in QKD is to develop neces- 
sary and sufficient conditions for the security of QKD protocols via relevant 
mathematical criteria. It is imperative that such a criterion must possess a 
clear empirical or operational meaning that bears directly on the intuitive 
but sufficiently precise notion of security a user would intend. In addition to 
mathematical correctness, it is also imperative that the proof of an uncondi- 
tional security claim includes all possible attacks Eve may launch consistent 
with the model situation and the laws of physics and logic with all the side 
information Eve may possess taken into account. The security criterion and 
analysis must be scrutinized scrupulously, because, contrary to most other 
problems in physics and other empirical sciences, the security conclusion can- 
not be established by an experiment or a simulation. While it is in principle 
possible but difficult to falsify a security conclusion by experiment or sim- 
ulation, a direct analysis of the meaning of the criterion and whether all 
side information has been accounted for is a more logically clear and direct 
approach for ascertaining the validity of a security claim. 

In this paper we carry out such an analysis for the so-called universality 
security claim in QKD made via a criterion d in [H [5] . The ordinary security 
significance of this d apart from universality will also be analyzed. It is 
important to scrutinize this criterion because it is currently the only one 
under which universality has supposedly been proven, and the interpretation 
given to it also makes it a very attractive security criterion in general. The 
nature of these claims can be briefly summarized as follows. 

When the two users generate a key K between themselves under the 
criterion d < e, according to [UEIEJE] they would share a perfect key between 
them with probability p that is at least 1 — e, i.e., with probability p > 1 — e 
the key K can be considered identical to a uniformly distributed bit string 
U which is independent of whatever Eve has in possession. This is clearly a 
very desirable state of affairs for ordinary security concerns if e is sufficiently 
small. With probability at least 1 — e, it also clearly implies universality, 
viz., it is secure in any arbitrary context. For instance, it guarantees that 
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any bit of K remains perfectly secret even if some other part of K is given to 
Eve. Thus, the so-called composition problem is solved from this universally 
composable security where K remains secure in any subsequent use of it 
in different contexts. This and similar possible interpretations of d will be 
analyzed, both for the universality issue and for its usual security significance. 
The related problem of Eve's side information, in particular her knowledge 
of the privacy amplification code and the error correcting code the users 
employ will be brought to bear on the security issues. It is concluded that 
d does not possess universality and security significance as the above claim 
suggests, and not even in a weaker form. Thus, the universality problem is 
still open in QKD, as is also the problem of a proper security criterion apart 
from composability. 

In Section 2 the general universality problem will be discussed, especially 
in relation to d. In Section 3, the incorrect meanings of d will be analyzed, 
with specific counter-examples given on the invalid inferences for the signif- 
icance of d. In Section 4, some correct meanings of d are discussed and the 
problem of its quantitative security guarantee is elaborated for realistic pro- 
tocols. The general side information issue is commented on in section 5 and 
some concluding remarks are given in Section 6. 

2 Universal Composability and the 
Criterion d 

In a direct one-way BB84 protocol, a user Alice sends another user Bob a 
sequence of random bits and they check a portion of it to assure that the 
error rate (QBER) is below a given threshold. Then an error correcting code 
(ECC) is employed on the rest, the sifted key, to obtain an error-free sequence 
between them with high probability. The resulting error-corrected key, to be 
called K c , is passed through a hash function or privacy amplification code 
(PAC) to further reduce Eve's possible information with the final generated 
key K as output. Eve attacks by setting her probe on the transmitted states 
before they reach Bob, waiting to get all the public exchange between Alice 
and Bob, and extracting her information on K by measuring her probes. 

The generated n-bit K would have perfect security if it is uniformly dis- 
tributed on the key space of 2 n values and is independent of everything in 
Eve's possession. The composition problem arises that when K is used in a 
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specific context, e.g., in one-time pad encryption of a new data string, Eve 
may gain new information that may be combined with whatever in her pos- 
session to yield possibly some information on K that she otherwise cannot 
obtain. The prime example is how partial key leakage would affect the rest 
of the key. When K is used as one-time pad, a known-plaintext attack would 
reveal some of the bits exactly. The composition problem is then whether 
these known bits of K would increase Eve's information on the rest of K. 
The additional quantum problem is that Eve may hold her probe in quantum 
memory and choose the measurement with this side information and perhaps 
be then able to unlock much new information she could not otherwise obtain. 

It is crucially important that we be precise in what we are after in this 
composition problem. Thus two important distinctions on such composition 
issue would be made. First, it is clear that universality cannot obtain on 
arbitrary side information that may bear on K, just classically. The side 
information could be trivially what K itself turns out to be, as a specific k. 
It could also be about how k was generated from a classical source, which 
would reveal something about k. Even "arbitrary context of use" is too vague 
as not all such contexts can be characterized, or at least it is not clear how 
they may be characterized, by a single mathematical formulation, classically 
or quantum mechanically. Until the side information Eve may possess is 
explicitly specified, it is not possible to tell whether it may have something 
to do with the otherwise uniform key to her. An explicit illustration with 
the use of ECC and also PAC on K c will be given in Section 5. 

Thus, it is more appropriate to separate the composition problem by the 
context in which K is actually used. Generally, partial key leakage is always 
an important consideration because some information on part of K when 
used as key can often be obtained by known-plaintext attacks also in other 
than one-time pad application. One needs to assign a specific quantitative 
measure on the "information about K" that is leaked. Typically it would 
be some specific known bits in K or some Shannon information on K itself 
directly. This leads us to the next point. 

Secondly, there is a quantitative issue on how one wants to measure the 
information leak. Just in classical statistics that not all unknown parameters 
can be modeled as random variables, not all side information S is a random 
variable to Eve. This may arise because S may take on too many, in fact 
an infinite number of possible values with resulting infinite entropy, which 
for example would be the case if S describes a complete procedure of how K 
was physically generated. Assuming that S is a random variable, Eve could 



4 



then possibly obtain information on K equal to H(S) when one measures 
information by Shannon entropy H(-). However, if we fix attention on the 
partial key leakage problem, it is the rest of the K that we are concerned 
with. Thus, we have the following situation. Consider the example of a 
two-bit K = (ki,k2) in which Eve knows k\ © &2- If k\ is revealed to her 
she would know k 2 . On the other hand, she has one-bit information on K 
to begin with. How do we want to measure the effect of one-bit leak in this 
case? Eve has one bit to begin with and knows one bit afterward. Did she 
learn anything new? The case for a long K is similar. 

It seems it is meaningful to consider how much better Eve could tell the 
rest of K from the other leaked portion of it as a quantitative measure of 
composition security in this partial key leakage scenario, the comparison 
being made between the same portion of the key before and after another 
portion is leaked for a given quantitative measure. In the above two-bit 
example, k% by itself is completely random to Eve before she knows k\ but 
it determines k 2 with probability one. The key is therefore not PKL-secure, 
a terminology we choose to denote security under partial key leakage. Any 
quantitative measure of PKL-security can be introduced on the above basis 
with different operational significance, but whatever it is, a uniform key 
independent of Eve's possession must have full PKL-security. 

In the quantum case there is the additional issue of lockable information 
[TJ, that a random variable side inforamtion S may reveal to Eve more than 
H(S) bits of information on K which is impossible classically. From the above 
two-bit example it may be seen that PKL-security may be related to how 
much Eve knows about K before the leakage. In |8j, it was suggested that 
if Eve's optimal mutual information on K, called the accessible information 
J acc , is exponentially small in n for large n, then the n-bit K is composition 
secure according to their quantitative definition. While the mathematical 
result in [8] is correct, it was pointed out in [TJ via a counter-example with 
one-time pad use of K that the result does not have the interpretation given 
in [8] to guarantee their composition security. 

Already in [U [5], a criterion d was used to "establish" universality. This 
d is actually also equivalent to one of several criteria discussed in [S|. Specif- 
ically, let p\ be the state in Eve's possession conditioned on a generated key 
value k, and let 
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be the completely mixed uniform state on the \K\ = 2™ orthonormal \k)'s. It 
is assumed that the "a priori" probability of K to Eve before she measures 
on her probe is uniform. Then the security criterion d is the trace distance 

d'= - || pKE- PU ® PE ||l, (2) 

where 

p** : = £!*><*! ( 3 ) 

and 

1 1 k 

The trace distance || p — o ||i between two states is related to the classical 
variational (statistical/Kolmogorov) distance S(P,Q) between two probabil- 
ity distributions as follows [I]. For any POVM or von Neumann measurement 
made on p and a with resulting distribution P and Q, \\ p — o ||i< e implies 
5{P, Q) < e where 

5(P,Q):=^|P(*)-Q(o;)|, (5) 

and P, Q are over the same range X. Lemma 1 of [H [9] states that for any 
distributions P, Q, of random variables X, X', there exists a joint distribution 
Pxx 1 such that the marginal distributions are Px = P, Px> — Q, an d 

Pr[X^X'] = 6(P,Q). (6) 

From this result it is concluded jl], [5, Prop 2.1.1] that when d < e, with 
probability p > 1 — e the real and the ideal situation of perfect security can 
be considered identical, where the ideal situation is one where K is replaced 
by a uniformly distributed random variable U which is independent of p\. 
This statement is repeatedly made [10] and provides the following two very 
desirable consequences. Under d < e, with probability p > 1 — e the key K 
is universally composable (or at least so for partial key leakage) and it is the 
same as the uniform U case to Eve for usual security apart from composition. 
Such a key is called e-secure. 

In the next section we will show that this conclusion is not valid and 
neither is another related weaker one. The significance of d for both security 
with and apart from composition will be analyzed in detail in section 4. 
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3 Analysis of Criterion d: What d Does Not 
Guarantee 



Before we embark on a full analysis of the operational meaning and quanti- 
tative significance of the criterion d, let us note the meaning of the various 
quantum states involved. Eve's ^-dependent probe states p\ and their av- 
erage pe have clear meanings. The key-determining state pu is in Bob's 
possession, and we can make this simplification used in [71 [9j [11] for the 
purpose of this paper instead of assigning first different keys k& and ks to 
Alice and Bob as in [5J. Then the joint state pke of (3) on the state space 
H-b ® 7~Le shared between Bob and Eve component-wise is an idealization 
that does not obtain in concrete realistic BB84 protocols. This is because 
many classical and macroscopic subsystems intervene between Bob and Eve 
and there is no single pure quantum state that governs both and known to 
anyone. Even if p\ is re-interpreted to denote the state outside of Bob's 
key-determining register, such an overall pure state still does not obtain in 
a real protocol. On the other hand, if Bob only measures on the basis {\k)} 
which is so intended in all the previous references, there is no harm and is 
perhaps mathematically convenient for some purpose to consider d in the 
form of (2) involving the entangled state Pke of (3). In this situation, since 
Bob and Eve perform their "local" operations separately, the criterion d is 
exactly equivalent to 

d = E k [\\p E -p E h], (7) 

which is a condition on He alone. Equality of the right hand sides of (2) and 
(J7J) follows from lemma 2 of ref. [3j directly, with E^ the average over the 2™ 
possible values of K. The right-hand side of (7) is indeed one of the criteria 
proposed in [8|. The entangled form (2) may give an illusion of being a more 
general criterion, but under the conditions just described that Bob measures 
only on the basis {|&)}, it is actually not. 

It is tempting, with the entangled form of d in (2), to consider p KE as 
close to the product state pu® Pe when d is small. If one interprets d < e as 
meaning that pke is "basically" pu ® pe, e.g., pke is equal to pu ® pe with 
probability at least p > 1 — e, then the criterion d has the great significance 
discussed in Section 2 without any need for a justification via the variational 
distance through (5)- (6). It would guarantee a uniform key U is obtained 
with probability p > 1 — e which is universally composable with the same 
probability, a quite satisfactory security situation when d is sufficiently small. 



7 



Such an interpretation seems to be made in various places [TUj directly from 
the expression (2) independently of and in addition to the argument from 
subsequent variational distance obtained from a measurement via (6). 

However, as in the case of classical probability distributions, a single 
number criterion (without coding a sequence into it) cannot so capture a 
whole distribution or a quantum state. This is brought out in [3J d2] and will 
be further discussed later. The small trace distance between two quantum 
states p and a does not imply p is "basically" a — it is simply a numerical 
measure that is useful for various purposes similar to S(P,Q), but it does 
not guarantee certain empirical meaning one may want to attribute to the 
relation between p and a. Similar to the case of Eve's mutual information on 
the key, the d < e or Se '■= ${P, U) < e criterion is fine when e is sufficiently 
small. The serious problem is that for long bit sequences, they have to 
be extremely small, as described in section 4. Thus, unless the previous 
interpretation [10] holds the criterion does not provide adequate quantitative 
security guarantee similar to the case of Eve's mutual information per bit [3]. 
Unfortunately, the interpretation does not hold. 

In the following we will analyze the significance of d and show that it is 
does not have either of the following three consequences: 

(i) Through (5)-(6), the generated key K is equal to a perfect key U with 
probability p > 1 — d and is completely independent of Eve's knowledge 
and possessions. 

(ii) With probability at least 1 — d, p KE is equal to pu ® Pe shared by Bob 
and Eve. 

(iii) Any probability distribution P Eve may obtain by a measurement on 
the probe has S(P, U) < d for the uniform distribution U of the same 
support as P. 

In Section 4 the possible security significance of d in both the before-usage 
and composition contexts will be explored. 

The conclusion (i) above is explicitly asserted and "proved" as described 
in section 2 of this paper, first in reference [I] and later repeated in many 
other papers [ID] . The proof relies on the existence of a joint distribution 
that yields the marginal distributions P and Q and gives (6). However, to 
the extent it makes sense to talk about such a joint distribution, (i) would 
follow only if "there exists" is replaced by "for every". This is because 
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since there is no knowledge on such joint distribution, one cannot assume 
the most favorable case via "there exists" for security guarantee or general 
"interpretation" that ref. gj U El El H] give. 

Indeed, it is not clear at all what realistic meaning can be given or claimed 
for the realization of such a joint distribution, other than the independent 
case Pxx' — P ■ Q- In such case, even if both P and Q are the same uniform 
distribution so that 5(P, Q) = 0, we have Pr[X ^ X') = 1 - ±, N = 2 n , and 
the two sides of (6) are almost as far apart as they can be since both are 
between and 1. This provides a counter-example to the interpretation and 
security guarantee. 

Counter- Example to (i): 

Let X and X' be independent in (6). Then (6) is violated (almost maxi- 
mally) . 

Moving onto (ii), one may observe that pke cannot be "basically" the same 
as Pu®Pe in general if pu and pe are "close" to pure states. In particular, an 
actual product pure state pu®pE is not "basically" the same as an entangled 
state pke of (3). The specific statement (ii) has the following consequence:- 



for some state o~ke and we have used a fixed d for simplicity instead of 
carrying along d < e. The same (near)-pure states pu and pe falsifies (8) 
in general. A specific numerical example would show (8) to be invalid as 
follows. 

Consider the binary case of one-bit k where conditioned on k G {0, 1}, 
Eve has a pure probe state \ko) or \ki). It is readily computed that in this 
case d = | || |fco)(^o| — Hi; an d is thus bounded between and 

1/2. If Eve makes the optimum binary quantum detection on her probe, her 
probability of success is from [13] 



Under the hypothesis (8), we have from total probability decomposition, 



Pke = (1 - d)pu <g> p E + da K E 



(8) 



P c =\ + d. 



(9) 



^<(i-d)i + «M = i + £ 



(10) 
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An exact computation from (8) with 



(J K E = 2- n Y,\k)(k\®a k E (11) 

k 

shows that 

Pc=l + l\\o$-o%\\ 1 (12) 

or P c < 1/2 + d/2 consistent with (10). Thus, the more secure scenario (8) 
with P c bounded by (10) contradicts the actual P c of (9) obtainable in this 
example. 

The following counter-example specifically pertains to composition also. 
Consider a two-bit K with 

Pe=o®Pi, Pe=<7®P2 (13) 
Pe=v®P2, p 1 E l = a®p l , (14) 

for a fixed a on the first qubit and general states pi,p2 on the second. It is 
readily computed that for (13)-(14), 

d = \ II Pi -Pi Hi (15) 

analogous to the above single-bit example. According to (ii), the whole 2-bit 
sequence has a probability 1 — d of being the uniform U, which implies that 
with the same probability, knowledge of the first bit leak implies nothing 
about the second, which cannot be determined by Eve with a success prob- 
ability P c > 1/2 + d/2 as in (10). On the other hand, it is evident from 
(13)-(14) that knowledge of the first bit would imply the second bit can be 
determined with success probability P c = 1/2 + d as in (9). Thus, in this 
example there is no quantitative PKL-security according to (ii), or from (i) 
which gives the same quantitative guarantee as (ii). Combining these two 
examples we have 

Counter- Example to (ii): 

Let p\ be given by (13)-(14). Then the PKL-security for composition given 
by (i) or (ii) is violated. Also, the single-bit security of the second bit by 
itself violates (ii) as in (9). 
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Finally, for (iii), we note that the condition Se '■= 5(P,U) = d has the 
significance that for K with distribution P, any m-bit subsequence 1 < m < 
n, has a probability p m from P that satisfies [H] 

\Pm-2~ m \<d. (16) 

Thus, a sufficiently small 5e would have the desirable property of guaran- 
teeing any deviation of if-subsequence probability from uniform to be small. 
However, d < e does not imply (iii) on either a joint distribution from a 
measurement on Tis ® He or on Eve's distribution from her measurement 
on TCe- This is because pE is not generally the uniform state pu even when 
the range of {p%} has dimension exactly equal to \K\ = 2™. In concrete 
protocols, the dimension of p k E would exceed \K\ considerably, through key 
sifting, error correction and privacy amplification. It does not seem possible 
to have any state pe that would yield the uniform distribution to E upon her 
general or even just projection-valued measurements. 

Counter-examples can be constructed easily on (iii) from p E ^ p v . We 
can also have the same example (13)-(14) on (ii) on the distribution from 
measuring on He when o = \a)(a\ and Eve measures {\a), \b)}, (a\b) = on 
the first probe qubit and the eigenvectors of p\ — p2 on the second. It is 
readily computed that in this case 

5 E — - + 2d, d 

= 1, d 
Thus, 5e < d is not satisfied. 

Counter- Example to (iii): 

The above (17)-(18) or any pe ^ pu- 

Note that S(P, Q) < e does not imply that the distribution P is equal to 
Q with probability p > 1 — e, similar to the case of || p — o ||j< e. That is, 
the following is not a consequence of 5(P, Q) = e from (5) 

P(x) = {l-e)Q(x)+eP'{x), (19) 



1 

> - 

- 4 

1 

< -. 

- 4 



(17) 
(18) 
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where P' is a distribution on X [TS]. Similar to the quantum case (8), under 
(19) one may [TB] infer that the distribution Q is obtained with probability 
1 — e. The difference between the two is then: 

(a) Under (19), the random variable X has the distribution Q with proba- 
bility at least 1 — e. 

(b) Under 8(P, Q) < e, \p m — q m \ < e, where p m and q m are any m-subsequence 
probabilities of the random vector X under P and Q. 

For (a), with probability p > 1 — e all subsequences of X have exactly the 
probabilities given by q m . Under (b), each subsequence of X has probability 
q m ± e. Not only is there a quantitative difference which we have discussed in 
this section, there is a uniformity property for (a) that is not shared by (b). 
The previous interpretation [10] is similar to (a) while only (b) holds. As we 
have shown, such interpretation cannot be maintained. Indeed, it appears 
counter-intuitive that with a high probability Eve knows exactly nothing 
about the generated key, that not even a tiny amount of information could 
be derived from her probe and public announcement. 

4 Security Significance of d 

The exact security significance of d with and without composition is analyzed 
in the following. First we note the analog in S of the equivalence between (2) 
and (7) for uniformly distributed K, 

E k [6(P*,P E )] = d, (20) 

where d is now given by 

d:=5{P kV ,U k Q y ). (21) 

In (21), Pkk' is the joint distribution of Bob's measured key k and Eve's mea- 
surement result k' on her probe p E , U k the uniform distribution on k and Qy 
Eve's distribution from measuring on pg. The equality of (20) follows from 
Pkk' = Pk'\kU k in (21) with P|(/c') = Py\k and P E = jj^^kQk- Equation 
(21) implies, from (16), 

\P kk '-U k Q kl \<d. (22) 
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There is no composition significance to d < e, from d < e, similar to that 
of (i) or (ii) or (a) in section 3. Intuitively, d < e says from (22) that any 
joint distribution P kk i is, up to d, given by the product distribution U k Qk' for 
which Eve's measurement would yield a k! that is independent of the actual 
k. Thus, her estimate of k has to come from her possible a priori information 
on k and whatever is allowed through d of (21). However, the strongest way 
this restriction comes about is in spelling out the definition of S(P, Q) in 
(20)-(21) and not from (22). Thus, (20) shows that only on average over K 
is P E carrying no information on k up to d, the individual (22) would yield a 
useless \K\d constraint on P k i\ k for typically large \K\. The averaging allows 
that for an individual k value the security could be much worse. 

To explore further the significance of d < e or d < e, we strengthen (7) to 

d k :=\\p k E -p E \\i<e, Vfc. (23) 
From the triangle inequality, it follows immediately from (23) that 

WPe'-Pe Hi<2e, Vfci,fc 2 . (24) 

For the composition problem, especially for PKL-security, knowledge of 
a subsequence of K would restrict the possible fc's to a smaller set. Let k be 
known and fc'the remaining K. Then for each possible k', the state p| fc ' still 
satisfies, from (23), || p k E — p E ||i< e. From (24) the trace distance between 
any two such possible fc's remains bounded by the same It. It may then be 
inferred that partial key leakage has not affected the rest of K in so far as the 
security conditions (23)-(24) are concerned. However, as discussed in section 
2 it is k', the rest of K, that matters in such context and kl may be more 
readily identifiable as follows. 

Eve's probability distribution from any measurement is now reduced from 
2 n to 2 n ~ m possibilities when m bits are leaked. This would generally reduce 
her error probabilities even under (23) or (24), although it is not guaranteed 
to be so on a per bit basis when normalized relative to the n — m bit uni- 
form distribution. In any event, a further specific quantitative measure that 
has direct operational meaning, such as Eve's success probability in identi- 
fying k', needs to be proposed and a general proof provided on how strong 
the protocol is against partial key leakage. The previous conclusion of uni- 
versal composability is so convenient due to the invalid conclusion that the 
generated key is uniform and independent of Eve's probe with probability 
1-d. 
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The condition (23) or (24) also implies that Eve's discrimination of k 
would be difficult for sufficiently small e as all the p k E are clustered together 
closely. Good error probability estimates for the multiple quantum state 
discrimination problem are available [17] . but they do not cover the case 
where the success probability is small. It appears interesting to relate (23) 
or (24) to Eve's optimal success probability of determining K, or parts of it, 
which would provide clear security significance to c4 < e. Such work could 
be attempted both for before-usage security and for partial key leakage. 

The criterion d < e is used in the security proof as follows. An e-secure 
key K of appropriate rate n/rio is guaranteed from the measured QBER for 
various protocols [U El El EH] y i a bounds involving various e-smooth entropies. 
In [TT], numerical plots on the original BB84 protocol are given for e = 
10~ 5 ~ 2~ 16 and no > 10 4 with n/n^ > 0.1. These results do not rule out 
very insecure possibilities as follows. 

There is a serious quantitative problem of 5e guarantee that applies to 
even dk < e and assuming reduction of pe to U can be achieved. It was 
pointed out [31 E2] that under the constraint Ie/ti < 2~ l for Eve's mutual 
information per bit Ie/ti on K, there are distributions on K Eve may possibly 
obtain that gives her maximum probability pi of identifying the whole key 
K as p\ ~ 2~ l . The same distribution gives 

S E = 2- 1 - 2" n , (25) 

which is ~ 2~ l for / up to a good fraction of n. The subsequence of K may 
be obtained with higher probability under the Ie/ti constraint but it satisfies 
the more secure (16) under the 5e constraint. Nevertheless, for Z ~ 10 2 or 
smaller, a n = 10 3 key is far from "perfect" not only for the whole K but 
also for many subsequences of K . In practice, only Z ~ 10 for Ie/ti has 
been achieved experimentally [19] and it is not clear it can be made much 
better for 5e- The problem is that unless / ~ m, the guarantee from (16) or 
(25) that the m-subsequence probability p m < 2~ l is jar worse than that of 
a uniform key K = U. Even if Z ~ 20 can be experimentally achieved, it is 
quite poor for m ~ 100 and n > 100 as compared to a uniform key. 

In this connection, it may be pointed out that the incorrect meaning as- 
signed to d [10] makes the security situation appear much more favorable. 
Indeed, it seems d = 2~ l would play the same role as the message authen- 
tication key of Z bits used in creating the public channel, that except for a 
probability p = 2~ l the cryptosystem is secure. However, as a message au- 
thentication key of Z > 50 bits may be needed for say, n > 10 3 bits, a small 
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I ~ 20 is not really a good guarantee. It is important to note that many num- 
bers involved in a concrete realistic protocol with n > 100 are exponentially 
small. It is necessary to compare two very small numbers carefully. 

Note also that the average constraint d < e is much weaker than dk < e 
of (23). From Markov's inequality [18J, 

Pr[X > 5} < E[X]/5 (26) 

for a nonnegative valued random variable X, one may guarantee X > 5 with 
a probability e by imposing E[X] < e5 instead of just E[X] < e. For concrete 
protocol guarantee, a single application of (26) already severely strains the 
numerical requirement for a given quantitative level. The situation becomes 
much worse for multiple guarantees of the form (23) or (24). 

In sum, we have shown that d does not have the meaning attributed 
to it in the literature, while for concrete protocols its quantitative security 
significance with and without composition does not seem to be much better 
than the mutual information criterion. 

5 Side Information 

As discussed in Section 2, the composition problem involves side information 
Eve may obtain depending on the exact context in which the key K is used. 
There are similar side information even during protocol execution which Eve 
obtains but is not accounted for in protocol security analysis. This is partly 
due to the fact that the exact message authentication code for creating a 
tamper-proof public channel, the error correcting code, as well as the privacy 
amplification code are not usually precisely specified in security analysis, and 
when they are, their specific character are not usually taken into account. We 
will indicate some of the issues in this section which are related to our analysis 
in this paper. We will not discuss the message authentication problem here, 
except noting that the full specific details of the protocol could be exploited 
by an attacker as the following discussion on ECC and PAC demonstrates. 

In the criterion d of (2)-(4) the assumption is made that the a priori 
distribution of the key K is uniform. However, the often suggested direct 
use of an ECC on the key Kc to be corrected after sifting and testing would 
bias the a priori probability. This is because an ECC would "decode" K c to 
a message, but only perfect codes [20J would have equal size decision regions 
that are needed to assure equal a priori probabilities for the different K 
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values. However, perfect codes are rare and none is a good candidate for a 
concrete protocol, while the relative sizes of the decision regions with any 
decoding rule for common ECC's have not been studied in coding theory. 
This problem does not arise when the K c is used as additive noise to a 
uniformly chosen codeword. 

Similarly, a matrix is typically chosen as a PAC, say an m x n Toeplitz 
matrix that belongs to a "universal class" [HE]. However, a singular matrix 
would leak information to Eve even if the original bit sequence to be com- 
pressed is perfect. Indeed, in the binary case a rank m — r matrix would leak 
r bits of Shannon information to Eve as a linear combination of the n bits 
that gives a would leak one bit of information. This problem has not been 
dealt with in the literature. 

In particular, eq. (11) in ref [lj cannot guarantee an e-secure key for any 
given universal hash function. At best it could only do that when averaged 
over such functions. Even then it is rather amazing to have automatically 
such guarantee on a universal family of Toeplitz matrices that has many 
singular members. In any event, another application of Markov Inequality 
for individual guarantee is necessary in this case if one does not analyze 
further the proportion of singular matrices in a Toeplitz family. 

The point here is that unless the full protocol is specified, one would not 
be able to tell how Eve may utilize any side information to obtain further 
information on the generated key. In particular, universality is too vague 
to allow a complete mathematical characterization and each specific context 
such as partial key leakage should be analyzed individually. 

6 Concluding Remarks 

We have shown that the criterion d, the seemingly most potent criterion that 
has so far appeared in the QKD literature, does not solve the composability 
problem such as partial key leakage. Its empirical and quantitative signifi- 
cance has been analyzed in detail, and found to be different from what it is 
so far taken to be. Not only does it not guarantee the generated key K is 
uniformly distributed and independent of the attacker's probe with a high 
probability, it also does not guarantee the variational distance 5e = S(P, U) 
between the attacker's possible distribution P on K and the uniform distri- 
bution U is small. Furthermore, it appears very difficult for d to provide 
adequate quantitative security guarantee through its legitimate meaning for 
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concrete realistic protocols, similar to the situation of the attacker's mutual 
information per bit criterion [3]. The general issue of side information that 
Eve may obtain is also discussed in relation to both universality and general 
quantitative security. It appears there are much to be elaborated on QKD se- 
curity analysis in regard to both the empirical significance of security criteria 
and their quantitative adequacy in concrete realistic protocols. 



7 Acknowledgement 

I would like to thank R. Nair, M. Raginsky, and R. Renner for useful discus- 
sions. This work was supported by AFOSR. 



References 

C.H. Bennett and G. Brassard, in Proc. IEEE Int. Conf. on Computers, 
Systems, and Signal Processing, Bangalore, India (IEEE, Los Alamitos, 
CA), 175-179 (1984). 

A general review can be found in N. Gisin, G. Ribordy, W. Tittel, H. 
Zbinden, Rev. Mod. Phys. 74, 145-195 (2002). 

H.P. Yuen, to appear in IEEE J. Sel. Top. in Quantum Electronics, also 
arXiv: |http://arxiv.org/abs/0906.5241| 

R. Renner, and R. Konig, Second Theory of Cryptography Conference 
(TCC), Lecture Notes in Computer Science, vol. 3378 (Springer, New 
York, 2005), pp. 407-425. 

R. Renner, Int. J. Quant. Inf. 6, 1 (2008); also arxiv.org: 



quant-ph/0512258, 



R. Renner, N. Gisin, and B. Kraus, Phys. Rev. A 72, 012332 (2005). 

R. Konig, R. Renner, A. Bariska, and U. Maurer, Phys. Rev. Lett. 98, 
140502 (2007). 

[8] M. Ben-Or, M. Horodecki, D. W. Leung, D. Mayers, and J. Oppenheim, 
Second Theory of Cryptography Conference (TCC), Lecture Notes in 
Computer Science Vol. 3378 (Springer, New York, 2005), pp. 386406. 



17 



[9] R. Konig, U. Maurer, and R. Renner, IEEE Trans. Inform. Theory 51 
(2005), p. 2381-2401. 

[10] This is explicitly stated in [4] - p. 14, [5] - Section 2.2.2, [6] -p. 012332-5, 
[7]-p. 140502-3, [11], p. 200501 -2. 

[11] V. Scarani and R. Renner, Phys. Rev. Lett. 100, 200501 (2008). 

[12] H.P. Yuen in: O. Hirota, J.H. Shapiro, M. Sasaki (Eds.), Proceedings of 
the QCMC, NICT Press, 2006, p. 163. 

[13] C.W. Helstrom, Quantum Detection and Estimation Theory, Academic 
Press, New York (1976). 

[14] M.A. Nielsen and I.L. Chuang, Quantum Computation and Quantum 
Information, Cambridge University Press, 2000; p. 401. 

[15] A specific counter-example was provided to the author by R. Renner. 

[16] There is the subtle issue of ensemble identity similar to the "partition 
ensemble fallacy" in quantum mechanics that may cast doubt on such 
inference on distributions, which we do not enter into here. 

[17] J. Tyson, J. Math. Phys. 50, 062102 (2009). 

[18] T.M. Cover and J. A. Thomas, Elements of Information Theory, Wiley, 
1991. 

[19] J. Hasegawa, M. Hayashi, T. Hiroshima, A. Tomita, Asian Conference 
on Quantum Information Science 2007, Shiran-kaikan, Kyoto, Sep. 3-6, 
(2007). 

[20] F.J. MacWilliams and N.J. A. Sloane, The Theory of Error Correcting 
Codes, New York, Elsevier/North Holland, 1977. 



18 



